Community discussions

MikroTik App
 
Cougar281
newbie
Topic Author
Posts: 29
Joined: Mon Sep 23, 2013 3:52 am

ROS 6.9 VPN bug?

Fri Feb 07, 2014 2:33 am

After working with my RB951-2n for the last two days getting the Site to Site VPN set up on it and experimenting with getting some kind of VoIP prioritization set up, I upgraded it from 6.7 to 6.9.

Now, every time I reboot it, the policy for my VPN says 'Invalid' until I open it and click apply - then it magically says 'not invalid' and the tunnel comes up.

I thought maybe it was something odd lingering so I removed it and went to re-create it, and it would not let me create it with 0.0.0.0 in the 'SA Src/ Address' field. Didn't have any problem doing that in 6.7. I then tried putting the public IP The connection is coming from, which did not work. I put the private NAT IP assigned to the WAN interface and the tunnel came up (It's currently behind a Linksys for Nat-T testing). After that was saved and the tunnel was established, it allowed me to change the 'SA Src. Address' back to 0.0.0.0 and the tunnel comes up fine. But when I reboot, it still goes back to 'Invalid'. I 'downgraded' back to 6.7 and the VPN tunnel comes up at boot without issue.
 
jandafields
Forum Guru
Forum Guru
Posts: 1515
Joined: Mon Sep 19, 2005 6:12 pm

Re: ROS 6.9 VPN bug?

Fri Feb 07, 2014 4:23 am

After working with my RB951-2n for the last two days getting the Site to Site VPN set up on it and experimenting with getting some kind of VoIP prioritization set up, I upgraded it from 6.7 to 6.9.

Now, every time I reboot it, the policy for my VPN says 'Invalid' until I open it and click apply - then it magically says 'not invalid' and the tunnel comes up.

I thought maybe it was something odd lingering so I removed it and went to re-create it, and it would not let me create it with 0.0.0.0 in the 'SA Src/ Address' field. Didn't have any problem doing that in 6.7. I then tried putting the public IP The connection is coming from, which did not work. I put the private NAT IP assigned to the WAN interface and the tunnel came up (It's currently behind a Linksys for Nat-T testing). After that was saved and the tunnel was established, it allowed me to change the 'SA Src. Address' back to 0.0.0.0 and the tunnel comes up fine. But when I reboot, it still goes back to 'Invalid'. I 'downgraded' back to 6.7 and the VPN tunnel comes up at boot without issue.
6.9 is very broken. If you use any vpn/ppp, it is best to stay on 6.7 until they fix it.
 
littlebill
Member Candidate
Member Candidate
Posts: 235
Joined: Sat Apr 30, 2011 3:11 am

Re: ROS 6.9 VPN bug?

Fri Feb 07, 2014 5:26 pm

x2

there is already a beta out with fixes.

6.9 broke my vpn stuff all over the board
 
jandafields
Forum Guru
Forum Guru
Posts: 1515
Joined: Mon Sep 19, 2005 6:12 pm

Re: ROS 6.9 VPN bug?

Fri Feb 07, 2014 5:29 pm

x2

there is already a beta out with fixes.

6.9 broke my vpn stuff all over the board
I tried 6.10 yesterday. Unfortunately, it did not fix it. Downgrading to 6.7 fixed it.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: ROS 6.9 VPN bug?

Fri Feb 07, 2014 5:52 pm

 
jandafields
Forum Guru
Forum Guru
Posts: 1515
Joined: Mon Sep 19, 2005 6:12 pm

Re: ROS 6.9 VPN bug?

Fri Feb 07, 2014 5:56 pm

No, i am using pptp and sstp.

sstp works with other 6.9 devices ... but 6.7 devices cannot connect.

6.9 cannot connect to linux pptp servers as a client. 6.7 connects fine to linux pptp servers
 
littlebill
Member Candidate
Member Candidate
Posts: 235
Joined: Sat Apr 30, 2011 3:11 am

Re: ROS 6.9 VPN bug?

Fri Feb 07, 2014 7:07 pm

x2

there is already a beta out with fixes.

6.9 broke my vpn stuff all over the board
I tried 6.10 yesterday. Unfortunately, it did not fix it. Downgrading to 6.7 fixed it.

thats disappointing, was gonna try it in a couple days, but i have had my second Hard crash on my 2011. i have to pull power, i need to use a console cable next time to see whats going on. really disappointed with this 6.x stuff.

my 5.26 stuff is flawless
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: ROS 6.9 VPN bug?

Fri Feb 07, 2014 7:46 pm

I just set up a site-to-site VPN with a RB433AH ROS v6.5 as the pptp server and a RB433 ROS v6.9 as the pptp client and it works fine. ??

edit: Just to make sure all is well, I upgraded the RB433AH to ROS v6.9 (daring indeed!) and it works just as well with that version. 8)
 
Cougar281
newbie
Topic Author
Posts: 29
Joined: Mon Sep 23, 2013 3:52 am

Re: ROS 6.9 VPN bug?

Fri Feb 07, 2014 8:29 pm

It's a bit scary that 6.9 was released in such a broken state...
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: ROS 6.9 VPN bug?

Fri Feb 07, 2014 8:57 pm

It's a bit scary that 6.9 was released in such a broken state...
I have tried this supposed "fail" and I can't find where it is broken. My site-to-site vpn works with v6.9.

I agree with karina in this post.
http://forum.mikrotik.com/viewtopic.php ... 14#p407972
 
Cougar281
newbie
Topic Author
Posts: 29
Joined: Mon Sep 23, 2013 3:52 am

Re: ROS 6.9 VPN bug?

Fri Feb 07, 2014 11:58 pm

It's a bit scary that 6.9 was released in such a broken state...
I have tried this supposed "fail" and I can't find where it is broken. My site-to-site vpn works with v6.9.

I agree with karina in this post.
http://forum.mikrotik.com/viewtopic.php ... 14#p407972
That may be true.... BUT... in my case, it's a pretty simple setup - the only 'mistake' as far as the VPN config is would be the 0.0.0.0 for the SA Source. putting an address in there is all well and good when you are dealing with a Site to Site VPN that's static on both ends. But when the end the device is on is dynamic, you can't specify an address.

Maybe having 0.0.0.0 in there is 'wrong', but you need SOME way to allow the device to function as a dynamic endpoint.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: ROS 6.9 VPN bug?

Sat Feb 08, 2014 12:07 am

I think I see your challenge. Which end device is dynamic? The server or client?
 
Cougar281
newbie
Topic Author
Posts: 29
Joined: Mon Sep 23, 2013 3:52 am

Re: ROS 6.9 VPN bug?

Sat Feb 08, 2014 12:16 am

I think I see your challenge. Which end device is dynamic? The server or client?
The client. At the server end I have a Cisco ASA 5510 with a /27 block of static IPs set up with a Dynamic L2L VPN in addition to the static ones. The plan for the Mikrotiks is to have them at the users Home Offices to allow the Avaya IP Phones to contact the phone system without using the built-in VPN functionality as it's a bit flaky, causing dropped calls. The Mikrotik has been running great as a VPN endpoint. It even works behind a Linksys NAT firewall (But won't work through my uVerse connections NAT for some reason).

With this setup, the client end doesn't need to be static as the connection is being initiated from there by the phone. There's no need for the main office end to 'reach back' through the VPN to the Home Office.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: ROS 6.9 VPN bug?

Sat Feb 08, 2014 12:29 am

I just set my client as dynamic. It got a new ip and connected to the server again and is working fine.

Where are you trying to enter this 0.0.0.0? I see no src-address setting here.

edit: but I think ipsec has a src-address setting. Is that what you mean?
 
Cougar281
newbie
Topic Author
Posts: 29
Joined: Mon Sep 23, 2013 3:52 am

Re: ROS 6.9 VPN bug?

Mon Feb 10, 2014 11:15 pm

I just set my client as dynamic. It got a new ip and connected to the server again and is working fine.

Where are you trying to enter this 0.0.0.0? I see no src-address setting here.

edit: but I think ipsec has a src-address setting. Is that what you mean?
Yes, 'sa-src-address=' in '/ip ipsec policy'. 6.9 would not allow that to be 0.0.0.0 and when that endpoint is dynamic, you cannot specify an IP as when it changes, it will no longer work.

The pfSense firewall I've been using has a dropdown for 'My Identifier',which I believe is what 'SA Src Address' is referring to, with several options when creating a SA: 'My IP Address, which will use whatever the external IP address is, 'IP Address', which when selects, gives you a field to populate with an IP, along with several others, including DN, User DN and a few others.

Another thing that would be VERY useful is if the ROS IPSec setup could specify a hostname (vpn.mydomain.com) as a SA Destination address, rather than IP. It's not often that the target address needs to be changed, but it's not unheard of.

Who is online

Users browsing this forum: nichky and 20 guests